Skip to main content

Examples

This section contains complete, production-ready examples demonstrating the power and flexibility of the Manetu PolicyEngine. Each example includes:

  • A complete PolicyDomain definition with all necessary policies, roles, groups, and resource groups
  • Test cases that you can run with mpe test decision to verify behavior
  • Detailed explanations of the design decisions and patterns used

Featured Examples

Overview

Unix Filesystem Permissions

Implements classic Unix-style permission bits (read/write for owner/group/other) using MPE's annotation system. Demonstrates how to:

  • Use resource annotations to store permission bits
  • Compare principal identity against resource ownership
  • Check group membership for group-level permissions
  • Fall back to "other" permissions for unrelated principals

MCP Server Access Control

Protects Model Context Protocol (MCP) servers with fine-grained access control for both metadata operations (tool:list, prompt:list) and data-path operations (tool:call, resource:read). Demonstrates:

  • Operation-based routing for different API endpoints
  • Tool-level permissions using annotations
  • Server registration and discovery controls

Multi-Tenant SaaS

Implements tenant isolation for a SaaS application where users belong to organizations and can only access resources within their tenant. Features:

  • Strict tenant boundary enforcement
  • Cross-tenant admin access for support teams
  • Organization-based group membership
  • Tenant-scoped resource groups

Healthcare Data Access (HIPAA)

Models HIPAA-compliant access control for electronic health records (EHR) with role-based access, patient consent, and break-glass emergency procedures. Includes:

  • Role hierarchy (physician, nurse, admin, patient)
  • Patient consent checking via resource annotations
  • Break-glass emergency access with audit flags
  • Minimum necessary access principle

API Quotas and Rate Limiting

Demonstrates using MPE for API quota enforcement and tiered access levels. Shows how to:

  • Define subscription tiers with different limits
  • Use annotations to track quota metadata
  • Implement feature flags per subscription level
  • Distinguish between billing tiers at policy evaluation time

Running the Examples

Each example includes a complete PolicyDomain YAML file and test input. Download links are available on each example page.

1. Validate the PolicyDomain

mpe lint -f policydomain.yml

2. Test Policy Decisions

# Test a specific scenario
mpe test decision -b policydomain.yml -i input.json

# Check just the decision
mpe test decision -b policydomain.yml -i input.json | jq .decision

3. Explore the Full Access Record

# See all policy references and phase evaluations
mpe test decision -b policydomain.yml -i input.json | jq .

Building Your Own

These examples are designed to be starting points. Feel free to:

  1. Copy and modify any example to fit your use case
  2. Combine patterns from multiple examples
  3. Extract reusable logic into Policy Libraries

Best Practices Demonstrated

These examples showcase several recommended patterns:

  • Default deny for tri-level policies: Using default allow = -1 with positive grants instead of explicit denies
  • Utils library pattern: Extracting common helpers like has_principal into a shared utils library
  • Set iteration: Using some x in {...} for concise, maintainable Rego
  • Operation prefixes: Using prefixes like mcp: to enable meaningful identity phase checks
  • Multiple libraries: Combining general utilities with domain-specific helpers

For more details on these patterns, see Writing Concise Rego and The Utils Library Pattern.

For more information on building PolicyDomains, see:

  • Creating Your First PolicyDomain
  • PolicyDomain Schema Reference
  • Best Practices